...
Keytab files are created with ktpass. Preferably on server 2008 or later. The user running ktpass must be a member of domain admin or enterprise admin.
See this section for detailed instructions.
How do I merge keytabs?
Ketyabs are merged inside Kantega Single Sign-on by uploading single keytab files and selecting to merge instead of overwriting the previous. See more on this here.
...
https://confluence.atlassian.com/conf73/configuring-secure-administrator-sessions-991928809.html
Kerberos will not work when using host-resolver-rule flag in Chrome to configure DNS for your server
During testing you may want to use the host-resolver-rules flag to get your Jira answering on jira.example.com instead of configuring this correctly in DNS. See how host-resolver-rule is used:
chrome.exe --host-resolver-rules="MAP jira.example.com 192.16.1.50"
Our testing shows that during such a setup getting a Kerberos ticket form AD will not work. So when testing Kerberos you will either have to configure this link between jira.example.com and IP in your DNS servers or in your local hosts file.
...
Why do I see an error message in the Jira log when a user uses “Re-authenticate with SSO?
Jira gives an error Thread corrupted! ActionContext still references a HttpSession when the websudo is established. This does not have any functional impact. The message comes due to some internal weakness and is not possible to avoid. To remove the error message from the logs, you may add this line:<logger name="com.atlassian.jira.web.filters.steps.requestcleanup.WebworkActionCleanupStep" level="OFF"/>
just above the elements </Loggers></Configuration> in the bottom of the file:${JIRA_INSTALL}/atlassian-jira/WEB-INF/classes/log4j2.xml
Kerberos will not work when using host-resolver-rule flag in Chrome to configure DNS for your server
During testing you may want to use the host-resolver-rules flag to get your Jira answering on jira.example.com instead of configuring this correctly in DNS. See how host-resolver-rule is used:
chrome.exe --host-resolver-rules="MAP jira.example.com 192.16.1.50"
Our testing shows that during such a setup getting a Kerberos ticket form AD will not work. So when testing Kerberos you will either have to configure this link between jira.example.com and IP in your DNS servers or in your local hosts file.
User Directories
How are Kerberos users mapped to accounts in User Directories?
...
https://confluence.atlassian.com/jirakb/bulk-update-user-information-in-jira-server-644875261.html
SAML and OIDC
What is the difference between SAML and OpenID Connect?
SAML and OpenID Connect (OIDC) are both identity federation technology. SAML is XML-based, while OIDC is built on top of OAuth 2.0 with JSON and REST. They are both mature and secure protocols for setting up SSO to Confluence and work on both desktop clients and mobile apps.
More info about SAML and OpenID Connect
OIDC
Why do I get an error message with HTTP 401 UNAUTHORIZED: Please check that your client_secret is correct?
...
My Kerberos authentication has stopped working
Potential error messages:
Parsing of the client's SPNEGO token failed with: java.lang.IllegalArgumentException: Expected tag byte should be 60, was 4e
We changed our Kerberos implemention in version 6.26.0. If you are encountering errors with Kerberos authentication after upgrading to this version please contact us through our help desk or with mail to servicedesk@kantega-sso.com. We recommend enabling the legacy Kerberos implementation as described on this page to see if it helps the issue or changes the error message: https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1442742278/Dark+Features#Use-legacy-Kerberos
SAML and OIDC
What is the difference between SAML and OpenID Connect?
SAML and OpenID Connect (OIDC) are both identity federation technology. SAML is XML-based, while OIDC is built on top of OAuth 2.0 with JSON and REST. They are both mature and secure protocols for setting up SSO to Confluence and work on both desktop clients and mobile apps.
More info about SAML and OpenID Connect
OIDC
Why do I get an error message with HTTP 401 UNAUTHORIZED: Please check that your client_secret is correct. Possible explanations:?
The
...
following error message indicates that the IDP no longer accepts the configured client secret: [OIDC-K6JCV4L81E] Failed performing OIDC POST request: Expected HTTP 200 OK. Actual response was HTTP 401 UNAUTHORIZED Please check that your client_secret is correct.
Possible explanations:
The client secret for you OIDC integration is expired.
You accidentally copy/pasted in the wrong value. E.g. Microsoft Entra ID /Azure AD offers a secret ID field which is often confused with the client secret itself
...
SAML
Which Identity Providers do you support?
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any other SAML / OIDC provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us.
Do we need to make any file system changes to offer SAML or OIDC to mobile devices or JIRA Service Desk?
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk. There is a switch to disable SAML/OIDC login for JSD on the “Redirect modes” page.
What is “known domains”?
The Known domains feature is both for increasing security and it enables the plugin to redirect the user to the correct IDP.
Let us say you have a user mark.miller@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to log in users from any domain", potentially, the IDP can authenticate users from another domain.
What is “hosted domain”?
Hosted domain (hd) is a parameter that is sent to the IDP as a hint for which domain the user should log in with. You can enable this functionality in the Known Domains tab. This is not a security feature as it does not prevent logging in with another domain, however, it provides an increased user experience with providers supporting this feature.
Can we add multiple Identity Providers?
Yes, add as many as you like and combine SAML and OIDC if you like!
By adjusting modes under “Redirect rules” under each provider, you may prioritize when each should trigger.
Is logging in with mobile devices supported?
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML and OIDC login.
Do you support SAML and OIDC for the JIRA Service Desk?
Yes, both JIRA Service Desk agents and customers are offered SAML and OIDC login. You may disable SAML and OIDC login for JSD users if you like.
How can I solve getting a 'BeanInstantiationException: Failed to instantiate [org.kantega.atlaskerb.saml.SamlConfManager]' during startup when using AppDynamics or Prometheus?
When using the AppDynamics agent or Prometheus, the Kantega SSO may fail to enable with a BeanInstantiationException, frequently with internal cause org.w3c.dom.ls.LSException: An unsupported encoding is encountered.
We have reports of customers successfully resolving this by adding the following parameters to the startup script:
| Code Block |
|---|
-Datlassian.org.osgi.framework.bootdelegation=META-INF.services,com.yourkit,com.singularity.*,com.jprofiler,com.jprofiler.*,org.apache.xerces,org.apache.xerces.*,org.apache.xalan,org.apache.xalan.*,sun.*,com.sun.jndi,com.icl.saxon,com.icl.saxon.*,javax.servlet,javax.servlet.*,com.sun.xml.*,org.apache.xml.serializer,net.shibboleth.utilities.*,org.opensaml.core.* |
...
Why do I get the error code SUBJECT_CONFIRMATION_DATA_UNEXPECTED_IN_RESPONSE_TO?
When a user is redirected from an Atlassian Data Center instance to the identity provider for authentication, the redirect includes a unique authentication request ID. When the IDP later returns the user to the Atlassian Data Center, the SAML Response from the IDP must contain an inResponseTo attribute with the same ID. If the addon receives a SAML Response with an unknown responseTo ID, you will see that error message.
It can happen for a number of reasons:
The user spent too long at the IDP, (> 30 minutes) so the ID is no longer recognized by the time the user returns with a SAML Response. The most common cause of this is open browser windows from the previous work day etc.
VPN: if the users are connecting to your Data Center through a saturated VPN, you may
Replay: An ID can only be used once. If a user reloads certain login pages, the same SAML Response can end up being POST’ed again. The ID will have been removed and is no longer usable, generating that error.
Data Center specific: Clustering problems. The ID is stored in a distributed cache (atlassian-cache). This ensures that if the user returns to a different node than the one that initiated login, login can still continue successfully. Usually though, sticky sessions ensure users return to the server they started on.
If you have load balancing problems and cannot achieve sticky sessions, then you may encounter this error. You may also see users experiencing login loops.
Environment
Which Identity Providers do you support?
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any other SAML / OIDC provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us.
Do we need to make any file system changes to offer SAML or OIDC to mobile devices or JIRA Service Desk?
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk. There is a switch to disable SAML/OIDC login for JSD on the “Redirect modes” page.
What is “known domains”?
The Known domains feature is both for increasing security and it enables the plugin to redirect the user to the correct IDP.
Let us say you have a user mark.miller@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to log in users from any domain", potentially, the IDP can authenticate users from another domain.
What is “hosted domain”?
Hosted domain (hd) is a parameter that is sent to the IDP as a hint for which domain the user should log in with. You can enable this functionality in the Known Domains tab. This is not a security feature as it does not prevent logging in with another domain, however, it provides an increased user experience with providers supporting this feature.
Can we add multiple Identity Providers?
Yes, add as many as you like and combine SAML and OIDC if you like!
By adjusting modes under “Redirect rules” under each provider, you may prioritize when each should trigger.
Is logging in with mobile devices supported?
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML and OIDC login.
Do you support SAML and OIDC for the JIRA Service Desk?
Yes, both JIRA Service Desk agents and customers are offered SAML and OIDC login. You may disable SAML and OIDC login for JSD users if you like.
How can I solve getting a 'BeanInstantiationException: Failed to instantiate [org.kantega.atlaskerb.saml.SamlConfManager]' during startup when using AppDynamics or Prometheus?
When using the AppDynamics agent or Prometheus, the Kantega SSO may fail to enable with a BeanInstantiationException, frequently with internal cause org.w3c.dom.ls.LSException: An unsupported encoding is encountered.
We have reports of customers successfully resolving this by adding the following parameters to the startup script:
| Code Block |
|---|
-Datlassian.org.osgi.framework.bootdelegation=META-INF.services,com.yourkit,com.singularity.*,com.jprofiler,com.jprofiler.*,org.apache.xerces,org.apache.xerces.*,org.apache.xalan,org.apache.xalan.*,sun.*,com.sun.jndi,com.icl.saxon,com.icl.saxon.*,javax.servlet,javax.servlet.*,com.sun.xml.*,org.apache.xml.serializer,net.shibboleth.utilities.*,org.opensaml.core.* |
Can I use "Edit in Office" (WebDav) in combination with SAML or OIDC for my Confluence 6.11.x and newer?
...
| Code Block | ||
|---|---|---|
| ||
# Appender configuration log4j.appender.filelogdump=com.atlassian.confluence.logging.ConfluenceHomeLogAppender log4j.appender.filelogdump.LogFileName=catalina-dump-log4j.log log4j.appender.filelogdump.MaxFileSize=20480KB log4j.appender.filelogdump.layout=org.apache.log4j.PatternLayout log4j.appender.filelogdump.layout.ConversionPattern=%m%n log4j.appender.filelogdump.MaxBackupIndex=10 # ## Logger configuration log4j.logger.org.apache.catalina.filters.RequestDumperFilter=DEBUG, filelogdump log4j.additivity.org.apache.catalina.filters.RequestDumperFilter=DEBUG, filelogdump log4j.additivity.org.apache.catalina.filters.RequestDumperFilter=false |
Then add the same part as in last message into web.xml (webapp/WEB-INF/web.xml):
| Code Block |
|---|
<filter>
<filter-name>requestDumperFilter</filter-name>
<filter-class>org.apache.catalina.filters.RequestDumperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requestDumperFilter</filter-name>
<url-pattern>/plugins/servlet/no.kantega.saml/sp/*</url-pattern>
</filter-mapping> |
SAML or OIDC redirect back to /plugins/servlet/no.kantega.saml/sp/{idp-id}/login responds with 403 error
...
.filters.RequestDumperFilter=false |
Then add the same part as in last message into web.xml (webapp/WEB-INF/web.xml):
| Code Block |
|---|
<filter>
<filter-name>requestDumperFilter</filter-name>
<filter-class>org.apache.catalina.filters.RequestDumperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requestDumperFilter</filter-name>
<url-pattern>/plugins/servlet/no.kantega.saml/sp/*</url-pattern>
</filter-mapping> |
SAML or OIDC redirect back to /plugins/servlet/no.kantega.saml/sp/{idp-id}/login responds with 403 error
If the request returning from the IDP back to /plugins/servlet/no.kantega.saml/sp/{idp-id}/login is visible in the Tomcat catalina.out log, but does not reach the application itself (Jira, Confluence, Bitbucket, Bamboo), since only Tomcat logs the request but not the host app or Kantega SSO plugin logs, then the issue is most likely another filter installed in Tomcat with configuration in web.xml file.
An example of a filter that may stop a request is CORS filter like org.apache.catalina.filters.CorsFilter
Related article on configuration of CorsFilter with Confluence can be found here:
https://jira.atlassian.com/browse/CONFSERVER-41269
Tomcat documentation:
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter
What to do if you get an AWS-related session problem?
We sometimes see that AWS load balancer, when used in front of a multi-node cluster (of Confluence, Jira et al.), has problems retaining session stickiness. It seems to improve stability of a clustered setup by enabling application stickiness in AWS load balancer configured to the cookie used in your application (by default cookie is named JSESSIONID). See more about this here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness.
Tycical symptoms for this problem can be:
login loops
login session suddenly dropping
AWS cookie
AWSALBsuddenly changing causing node change for browser which again typcally causes login session to drop (user gets logged out)
API Tokens
User accounts gets locked out when API tokens gets invalidated or expires. How can I prevent this from happening?
...
Without a license, Kantega SSO will not log in users. Users are presented with the default product login page. The KSSO admin panel will still function and will show a notification that the license is invalid.
How does the features in Kantega SSO look in a architectural diagram?
Below is a diagram that shows many of the features in Kantega SSO.
...